禁止访问角色“认知角色” [英] Access to Role 'cognito role' is forbidden

问题描述

我遇到这个奇怪的错误
禁止访问角色认知角色。

I'm getting this strange error Access to Role 'cognito role' is forbidden.

在这里创建云形成堆栈时，这就是我的云形成

while creating a cloud formation stack here is my cloud formation file in yaml format.

我基本上是在创建s3存储桶和cognito身份，以方便客户端访问我的存储桶，除了此错误之外，整个工作正常， b $ b禁止访问角色 phototest-cognitoRole-1AMKUVXUXAJ5H。 （服务：AmazonCognitoIdentity;状态代码：400;错误代码：NotAuthorizedException

I'm basically creating a s3 bucket and a cognito identity to facilate client side access to my bucket the whole thing is working fine except this error Access to Role 'phototest-cognitoRole-1AMKUVXUXAJ5H' is forbidden. (Service: AmazonCognitoIdentity; Status Code: 400; Error Code: NotAuthorizedException

AWSTemplateFormatVersion: 2010-09-09

资源：

photoBucket:
    Type: AWS::S3::Bucket 
    Properties:
        BucketName: it-academy-photos-bucket 
        CorsConfiguration: 
            CorsRules:
                - AllowedHeaders: ['*']
                  AllowedMethods: [GET,POST,PUT]
                  AllowedOrigins: ['*']
                  Id: myrules   


cognitoRole:
    Type: AWS::IAM::Role
    Properties:
         AssumeRolePolicyDocument: 
            Version: "2012-10-17"
            Statement:
                - 
                    Effect: Allow
                    Principal:
                     Federated:
                       - "cognito-identity.amazonaws.com"

                    Action:
                       - sts:AssumeRoleWithWebIdentity 


         Policies:
            -
                PolicyName: "photo_client_policy"
                PolicyDocument:
                    Version: '2012-10-17'
                    Statement:

                        - 
                         Sid: VisualEditor1
                         Effect: Allow
                         Action:
                           - s3:PutObject
                           - s3:GetObjectAcl
                           - s3:GetObject
                           - s3:GetObjectTorrent
                           - s3:GetObjectVersionAcl
                           - s3:PutObjectVersionTagging
                           - s3:GetObjectTagging
                           - s3:PutObjectTagging
                           - s3:PutBucketCORS
                           - s3:PutObjectAcl
                           - s3:GetObjectVersion
                         Resource: "*"


cognitoIdentityPool:
    Type: AWS::Cognito::IdentityPool
    Properties:
        IdentityPoolName: "photo_bucket"
        AllowUnauthenticatedIdentities: true

cognitoIdentityPoolRoleAttachment:
    Type: AWS::Cognito::IdentityPoolRoleAttachment
    Properties:
        IdentityPoolId: !Ref cognitoIdentityPool
        Roles:
            unauthenticated: !Ref cognitoRole                               

推荐答案

我遇到了同样的问题，并且发现未经身份验证的角色需要Arn而不是逻辑ID。这应该可以解决问题：

I was having the same problem and figured out the unauthenticated role needs the Arn and not the logical ID. This should fix the issue:

cognitoIdentityPoolRoleAttachment:
    Type: AWS::Cognito::IdentityPoolRoleAttachment
    Properties:
        IdentityPoolId: !Ref cognitoIdentityPool
        Roles:
            unauthenticated: !GetAtt cognitoRole.Arn

这篇关于禁止访问角色“认知角色”的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！